Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Subscriber Management] Example Configuration - Firewall filter for subscribers using Ascend-Data-Filter

0

0

Article ID: KB31614 KB Last Updated: 10 May 2017Version: 1.0
Summary:

The following excerpt is from Ascend-Data-Filter Policies for Subscriber Management Overview:

Subscriber management enables to use Ascend-Data-Filters to create policies for subscriber traffic. An Ascend-Data-Filter is a binary value that is configured on the RADIUS server.

Subscriber management uses a dynamic profile to obtain the Ascend-Data-Filter attribute (RADIUS attribute 242) from the RADIUS server and apply the policy to a subscriber session. Dynamic profiles support Ascend-Data-Filters for inet and inet6 family types, and both families can be present in a dynamic profile.

This article provides an example for configuring a firewall filter for subscribers using Ascend-Data-Filter.

Solution:

Configuration

labroot@ERX-MX480-II-RE0# show dynamic-profiles PPPoE-TEST
routing-instances {
    "$junos-routing-instance" {
        interface "$junos-interface-name" {
            any;
        }
    }
}
interfaces {
    pp0 {
        unit "$junos-interface-unit" {
            no-traps;
            ppp-options {
                chap;
                pap;
            }
            pppoe-options {
                underlying-interface "$junos-underlying-interface";
                server;
            }
            keepalives interval 30;
            family inet {
                filter {
                    input "$junos-input-filter" precedence 250;
                    output "$junos-output-filter" precedence 250;
                    adf {   <-- Ascend-Data-Filter included in dynamic-profile.
                        rule "$junos-adf-rule-v4";
                        counter;
                        input-precedence 252;
                        output-precedence 252;
                    }
                }
                     unnumbered-address "$junos-loopback-interface";
            }
        }
    }
}

Attribute configured under Radius

test@mx.com Cleartext-Password := "jtac123"
            Framed-IP-Address := "177.220.177.164",
            X-Ascend-Data-Filter = "ip in forward dstip 1.1.1.1/32 0 dstport = 25",
            X-Ascend-Data-Filter += "ip in forward",
            X-Ascend-Data-Filter += "0x01010100000000000000000000000000000000000000000000000b626573742d6566666f72740b706c63722d4f474f2d336d",
            ERX-Ingress-Policy-Name = "test",
            ERX-Egress-Policy-Name = "test"

               
Refer to Ascend-Data-Filter Attribute Fields for more information.

"0x01010100000000000000000000000000000000000000000000000b626573742d6566666f72740b706c63722d4f474f2d336d" <-- (IPv4, Accept,Ingress, 0b=Length, 626573742d6566666f7274=best-effort, 0b=Length, 706c63722d4f474f2d336d = plcr-OGO-3m)

Refer to Online-toolz for converting text to hex.

labroot@ERX-MX480-II-RE0# run show subscribers extensive
Type: VLAN
Logical System: default
Routing Instance: default
Interface: demux0.3221225482
Interface type: Dynamic
Underlying Interface: xe-3/0/0
Dynamic Profile Name: DYN-DEMUX3
Dynamic Profile Version: 1
State: Active
Session ID: 42
PFE Flow ID: 19
VLAN Id: 100
Login Time: 2017-04-09 10:41:27 IST

Type: PPPoE
User Name: test@mx.com
IP Address: 177.220.177.164
IP Netmask: 255.255.255.255
Logical System: default
Routing Instance: default
Interface: pp0.3221225483
Interface type: Dynamic
Underlying Interface: demux0.3221225482
Dynamic Profile Name: PPPoE-TEST
Dynamic Profile Version: 1
MAC Address: 6e:51:35:4e:00:00
Idle Timeout (seconds): 7200
Idle Timeout Ingress Only: FALSE
State: Active
Radius Accounting ID: 43
Session ID: 43
PFE Flow ID: 20
VLAN Id: 100
Login Time: 2017-04-09 10:41:27 IST
IPv4 Input Filter Name: test-pp0.3221225483-in
IPv4 Output Filter Name: test-pp0.3221225483-out
ADF IPv4 Input Filter Name: __junos_adf_43-pp0.3221225483-inet-in
                    Rule 0: 0101010000000000010101010020000000000019000200000000000000000000
                            from {
                                destination-address 1.1.1.1/32;
                                destination-port 25;
                            }
                            then {
                                accept;
                            }
                    Rule 1: 0101010000000000000000000000000000000000000000000000000000000000
                            then {
                                accept;
                            }
                    Rule 2: 01010100000000000000000000000000000000000000000000000b626573742d6566666f72740b706c63722d4f474f2d336d
                            then {
                                forwarding-class best-effort;
                                policer plcr-OGO-3m;
                                accept;
                            }
Accounting interval: 600
Dynamic configuration:
      junos-adf-rule-v4: 0101010000000000010101010020000000000019000200000000000000000000
      junos-adf-rule-v4: 0101010000000000000000000000000000000000000000000000000000000000
      junos-adf-rule-v4: 01010100000000000000000000000000000000000000000000000b626573742d6566666f72740b706c63722d4f474f2d336d
  junos-input-filter: test
  junos-output-filter: test
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search